Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-21974

RBAC model refinement from virt rbac

XMLWordPrintable

    • Support more general rbac model based on the virt rbac.
    • Product / Portfolio Work
    • False
    • Hide

      None

      Show
      None
    • False
    • Not Selected
    • To Do
    • VIRTSTRAT-51 - Enable fine-grained RBAC support in ACM for Virt use cases
    • VIRTSTRAT-51Enable fine-grained RBAC support in ACM for Virt use cases

      Epic Goal

      With ACM 2.14, we have implemented an aggregated-apiserver to support Virtualization RBAC use-cases only.

      This aggregated-apiserver reads ClusterPermission with certain subjects, and builds an authz cache.

      The goal is to have more components like ACM Search which can access it to know which project/cluster is authorized for the user at the ACM hub.

      Why is this important?

      It could provide a more general RBAC model across clusters for ACM 

      Scenarios

      There is a desire to expand to a more general RBAC model at the ACM hub. For example:

      1. Search can access it to now get a filtered list of any resource it is collecting
      2. OpenShift GitOps scenarios can benefit (open question) ?

      Acceptance Criteria

      ...

      Dependencies (internal and external)

      1. One thing we need to consider is how often we poll data from Search.
        • If we poll too often it will cause problems for Search.
        • Search squad are looking at a streaming alternative on the search API to eliminate polling. ACM-21413

      Previous Work:

      1. https://github.com/stolostron/multicloud-operators-foundation/pull/903/files#diff-51cdb95c928154ed749fe009ee8a053ae2dacdc11f6d7ff0c45432c54dfdf5da
        so basically this was necessary to enable fine-grained-rbac for OpenShift Virtualization

      Open questions:

      1. How can the existing work be enhanced, if for example we would need the same for ArgoCD GitOps Applications. Would this be huge effort?
      2. How would this be enhanced if we would need a solution for all objects in a single-namespace, how much effort would this be?

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub
        Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub
        Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Doc issue opened with a completed template. Separate doc issue
        opened for any deprecation, removal, or any current known
        issue/troubleshooting removal from the doc, if applicable.
      • Considerations were made for Extended Update Support (EUS)

              leyan@redhat.com Le Yang
              jqiu@redhat.com Jian Qiu
              Hui Chen Hui Chen
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated: